Will the United Kingdom need a separate data privacy agreement with the European Union post Brexit?
Although their reasoning may differ when answering the question that heads this article, most respondents would probably agree that, in the lead up to and post-Brexit, a data privacy agreement between the United Kingdom (UK)/European Union (EU) will need to be ratified even if it is for no other reason than satisfying the need to understand the playing field that exist at that point in time and, equally importantly, exactly the actions that would need to be taken should something untoward occur. However, even though there may be this general consensus, Brexit, if it does materialise at all, raises further associated questions that require answers. Given the animosity that currently exists in the EU towards the UK, would it be possible to reach an agreement quickly and, if not, what should businesses which regularly transfer private data between the UK and the rest of the EU do to mitigate the situation? Would the lack of any agreement be catastrophic to these businesses and institutions and, in such a situation, would there be a need to suspend, or cease in their entirety, important data transfers? Regrettably, in order to have any hope of answering these leading questions, there is a need to dip our toes into the world of data protection legislation and European politics.
If the speed by which an agreement could be adopted is considered for a moment, along with the complexity of such a document, you could be forgiven for arriving at the conclusion that a simple, legally binding arrangement could be reached relatively swiftly. Unfortunately, however, this is an assumption that would be extremely wide of the mark. It is highly likely that the development of an agreement will be a long and protracted affair despite the facts that the UK has been a member of the EU since 1973, the UK has its own Data Protection Act (DPA) that is, at best, supposed to take into consideration the Articles found in the European DPA, Directive 95/46/EC, and that representatives from the UK have been directly involved in the development of the EU-US Privacy Shield and its predecessor, Safe Harbour; both of which were/are meant to overcome privacy issues associated with the transfer of private data between the EU and United States. But, why?
Although the UK’s DPA 1988 contains many of the Articles defined in Directive 95/46/EC, it has been revealed that, for undisclosed reasons, which may include the UK Government not considering that further amendments to the 1988 Act are necessary, 16 of the 34 Articles that comprise the European Directive have not been implemented correctly in the UK, if indeed, at all – including those aimed at restricting the ability of the UK’s Intelligence Service to gain access to private data. Apparently, the European Commission (EC) has known about these deficiencies for a number of years, and by “a number of years” we are talking about 10 years at least, yet a resolution is still outstanding. As recently as 2011, the severity of the situation was such that the EC started to consider infringement proceedings against the UK Government but, and here’s the rub, for reasons which are best know to themselves, as of the date of this article, the EC still has those proceedings under review.
But, surely, when data privacy, and the transfer of personal data between countries, is so important to all concerned, why does this stalemate exist? Unbelievably, the answer to that question is: nobody really knows (other than the UK Government and the EC of course). And, furthermore, largely because of the ongoing threat of litigation, which in itself could be counter-productive, both parties are reluctant to make any detailed comment about the situation. Equally, neither the UK government, nor the EC, have expressed any opinion as to how the stalemate can be resolved. In the current climate that exists, two clear options could be available for discussion. Firstly, as a pre-cursor to arranging an ongoing, simplified data privacy agreement, the EC could insist that the UK enact the Directive 95/46/EC deficiencies in their entirety or, more probably, those found in the European General Data Protection Regulation (GDPR) – which was adopted by the EU in April this year. However, as the UK Government has been reluctant to adhere to similar requests in the past, there is little likelihood that they will comply with any future requests in the lead up to Brexit. The second option could be to inaugurate an EU-UK data privacy agreement that would be similar in content and structure to the EU-US Privacy Shield agreement. Although this latter option is possibly the most likely scenario, in either case, it is extremely likely that an agreement will be rubber stamped overnight.
So, if that is indeed the case, what happens next? What should businesses do, if and when Brexit finally emerges out of the political fog? It could be suggested that one response would be to sit back, carry on as normal (as if nothing has happened) and wait to find out what does actually transpire. After all, businesses and institutions have been transferring data around Europe under the current regime for years without any catastrophic outcome, so what harm would there be in continuing? And there is little point in implementing any major and new policies which will need to be scrapped once an EU/UK agreement has been reached. Temporary agreements, equivalent to those used by Cloud companies in the US, could be instigate while the UK and EU sort their act out or, alternatively, other legislation, such as the UK’s Human Rights Act 1998 (which contains Articles relating to access to personal data), could be utilised to ensure a degree of data privacy. In any event, thanks to the UK Government and the EU, there is data privacy mess the size of Everest that needs to be swept back out from under the carpet and cleared up – urgently!